Making password entry difficult is like attempting weight loss by eating bland food.
It's not the flavour that makes you fat.
Nonetheless, there's this perception that something delicious can't be good for a diet. People have this notion that to lose weight, there must be penance. An element of punishing oneself for past transgressions seems essential.
Security people have the same mindset. Security must be a hassle. It must be in your face. It has to be onerous. A challenge. A hurdle to get past.
I've tried, over and over, to explain to my customers that often the slickest, most hassle-free approach is the most secure. But this almost never sells.
Meanwhile, I see vendor after vendor successfully selling products that exist only to irritate users.
There was a recent discussion on HN that branches into this idea about the importance of UX. I agree with you, with a twist.
What you want is that the happy path for security is zero hassle, but the unhappy paths should also drop dead with zero hassle.
This is the UX I really like for WebAuthn / U2F.
All the interactions on the happy path are very smooth. Need a second factor, tap, go. Almost frictionless. On my phone for example you tap the same fingerprint sensor that would ordinarily unlock the phone. Short of not having a second factor at all it couldn't be smoother.
But if this is actually a phishing site or you're a crook who doesn't have the hardware token, it just doesn't work. Still low friction in a sense, but low friction failure. There is no way forward, no override, no "I'm sure", nothing - it just won't work.
Just has to abandon a Trello account because of this. They state if you lose your device for TFA you have just lost your account. Okay, bank level security for a PM tool...
Keep the 2fa code sequences safe in a separate keepass or any password database; & you can move 2fa anytime. Even Google updated its Auth app to export all keys.
Aside: it'd be cool to have a tool that could find the discussion you referenced in your first sentence. I wonder if Algolia is working on something in the space of topical search.
The security industry is a high paid specialization in an already highly paid industry, and it attracts an enormous number of complete charlatans. It’s incredibly easy to be a security charlatan, most of the people you work with won’t understand what it is you’re supposed to be doing, so they won’t know any better when you tell them to do literally anything at all. You can create an endless stream of busywork for yourself, by making an endless stream of nonsensical risk assessments, and anytime you don’t know what to do you can just say no. Anytime you’re questioned you can just say it’s best practice, and chances are some authority at some point in time said it was.
Other risk-related fields typically have at least some of the same issues. Risk avoidance is always a no-effort strategy, and the industry is full of people who rely on it entirely, because they don’t have the skills to implement actual mitigation strategies.
Yeah I'm a contractor that basically works on modernising the SDLC and target platforms. Nothing fancy.
Pretty much in all circumstances the outright adversary is Enterprise Architecture or Security using governance and security to push complex standards that don't work and result making changes harder and unpatched systems.
Some of them are receptive if you communicate the issues in terms of risk, but many most in my experience are only receptive if put it in writing and you copy in their boss.
I don't have the data on sales, so I can't comment on that. Without seeing the marketing, it's hard to tell why OP's solutions are not chosen. (I don't expect it to be as easy as "it's not difficult enough")
Yea, but you could have chosen not to comment at all without detracting from the conversation. If folks around here don’t know what security folks do you have much, much, much larger concerns. Why not engage in good faith? If you can’t do that why comment at all?
Because "security people want to make your life harder" is as meme that needs to die. People actually believe that and if we don't call out that it's wrong and harmful, it will continue to be repeated.
> Making password entry difficult is like attempting weight loss by eating bland food. It's not the flavour that makes you fat.
Big side-tangent, but amusingly enough, one modern view on the etiology of metabolic syndrome is that your brain tracks satiety for different nutrient classes separately; so foods that are "tasty" in the sense of containing many different nutrient-signals (sugar, salt, fat, acid, etc.) take larger quantities of food to signal fullness (something something liver metabolism is a rate-limited queue); so if you start off hungry and eat such foods until you "feel full", you will have eaten more of them than you "should have", to the point of eventually doing excitotoxic things to your leptin receptors, inducing leptin resistance and making you feel hungry more often.
Which is to say, it's not flavor that makes you fat, but rather flavors, plural. ;)
The advice of the scientists who subscribe to this hypothesis is that you don't have to eat bland food; you just have to eat monotonous food (food only containing one primary nutrient-signal), and you'll feel full with less of it. When you sit down for a meal, eat all meat, or all bread, or all green leafy vegetables. Balance your diet by having something different each meal, not by combining foods in a single meal. Avoid foods that are themselves "combinations", like pizza. Avoid adding a secondary nutrient-signal to something to "amp up" the taste, like adding sugary+oily dressing to a mineral-y salad. Just choose foods that already taste good to you without any "amping up", and eat those, by themseleves.
This is, after all, the real "paleo diet": when animals kill prey, they eat just meat for a meal. When they find fruit, they eat just fruit for a meal. They don't bring them together to eat them all at once.
(Whatever you think of the hypothesis, studies have been done which confirm the advice: eating monotonously per meal, makes you feel full after less food intake. You hit a wall with a kind of "tired/bored of eating this, disgusted by the idea of eating more" feeling, which makes you lose the rest of your appetite. That's your body's nutrient-satiety mechanism kicking in correctly.)
This all sounds very interesting, but doesn’t at all match my lived experience.
I’ve dieted now a few times quite successfully while living with a chef roommate.
He cooks amazing meals. Salads with more ingredients than I’d ever bother to use, stuff like that. As a chef he really puts time into hitting many flavors (not always, but often).
I’ve never had an easier time losing weight than this last time! Down to my healthiest in years, and been super happy with how easy it’s felt.
Here’s a theory: I’m getting a lot of happiness from eating delicious food. If I eat bland things, sure over time I may adapt to it. But to be honest, getting joy out of eating is one of just two things that is an inexhaustible source of delight for humans. Trying to diet and deprive yourself of flavor is like fighting two dragons at once.
The dopamine/serotonin balance I get from a well crafted, layered meal is actually what keeps me satisfied and feeling like “I had my pleasure, I owe it to myself to accept that as enough”. A fun diet is easier to follow.
Edit: just to add. I also get a ton of happiness from cooking new and interesting things. To me, the craft of cooking also helps mentally. I get satisfaction from trying new things, being creative, pleasing my SO, etc - humans need some amount of creativity and play. By fulfilling that through cooking, you avoid seeking it in eating. I’ve noticed clearly when we make a nice meal I’m so happy at just having done something well, my dopamine is low once it’s time to eat.
> If I eat bland things, sure over time I may adapt to it.
I think you're arguing with the GP comment, not my comment. The kind of "diet" being described in my comment above—if you even want to think of it as a diet—doesn't actually stop you from eating anything, if you count by "flavor experiences" rather than "meal experiences." It just makes you get your "flavor experiences" separately, rather than all at the same time. (Or "as separately as you can." A food with N-1 macronutrients is still going to fill you up faster than a food with N macronutrients; so just minimizing macronutrient variety per meal is fine. You don't have to strictly limit yourself to some small number. Eating a salad with dressing as your meal, is still better than eating a salad with dressing and meat in it.)
Most foods invented throughout history actually already fit this "diet." Vegetable soups, however many ingredients, still have only two or three major macronutrients. Roasted poultry only has one. Mashed potatoes only have two. A steak has one. Fruit pies have three. Nigiri sushi has three. Most authentic italian pastas have three. Even "bad for you" foods like hot dogs or mac-and-cheese only have three, if you make them from scratch.
There are two types of recipes that have high macronutrient variety: those invented throughout history to be served to nobility/royalty, that were "fancy for the sake of being fancy"; and those invented in the modern era of year-round grocery-store ingredient availability (and thus no need to work with what's in-season, freshly-harvested, before it rots.)
Sandwiches, hamburgers, American pizza, "tex-mex" tacos/burritos, and other food-court staples: nine or more macronutrients each. The kind of cheese powder found in doritos or shelf-stable mac&cheese counts for eight by itself! The average take-out order of "American Chinese food" hits almost a dozen. Most French sauces reach seven macronutrients on their own, before counting what you're putting them on. A full English breakfast has twenty macronutrients.
Some of these are capitalism at work, creating ever-greater superstimuli out of originally-simpler meals (e.g. pinche tacos; authentic regional Chinese cuisine; etc.) You can just buck that trend, and be healthier for it.
But for some of the others, the macronutrient-variety is fundamental to what the food "is." In those cases, keep in mind that most of the food experiences these foods give you, are made up of—"synthesized" from—simpler standalone food experiences, that just happen to be happening at the same time in your mouth, without really being one unified food experience. You can have the experience of eating just the "melty cheese" part of a pizza—that's raclette. You can have the experience of eating just the meat part of a hamburger—that's a hamburger steak. A loaded twice-baked potato breaks down into two separate meals: baked potatoes + sour cream, and a pasta-salad-like dish. Etc.
None of these are "less tasty" when taken separately. They're just different ways of having the same experiences. If you like, you can eat garlic bread for one meal, a Greek salad for the next, and charcuterie for a third—and you'll have "eaten a pizza" of whatever toppings you like. (Personally, I'd rather just eat a simple caprese pizza, which has ~5 macronutrients; but if you prefer the complex flavors, go ahead and have them. Just—separately.) Likewise, if you're getting American Chinese take-out, you can just eat one of the dishes you ordered per meal, rather than trying to have a little bit of all of them each meal. (Some of those dishes are, individually, pretty macronutrient-rich, but if you want those flavors, this is how to get them.)
Of course, you can have complex foods if you do it as an indulgence, the way people think of ice cream (which is actually not an indulgence under this paradigm; you'd get full on a meal of pure ice-cream quite quickly, if you were just eating from hunger, rather than stress-eating.) You'd just have to be consciously aware that your body isn't going to correctly estimate when you've had enough everything-pizza, and so you'll have to consciously limit your intake rather than relying on satiety in that case. You'll likely end up somewhat hungry after such a meal. That's fine—you'll get to feel full again soon-enough, as long as your next meal after that is a low-macronutrient-variety one.
> They're just different ways of having the same experiences. If you like, you can eat garlic bread for one meal, a Greek salad for the next, and charcuterie for a third—and you'll have "eaten a pizza" of whatever toppings you like.
I'd argue that the simultaneity is a new experience though. Just as playing first the low notes and then the high notes of a musical score sounds radically different than playing both scores at the same time, the taste of pizza is exactly the interaction between cheese flavour, bread and topping.
The theory about satiation sounds plausible and I can easily imagine that you will eat less by consuming only monotonous meals, but I'd disagree stating this would be the same experience are being similarly enjoyable.
I was explicitly claiming that I think having more variety of flavors and ingredients together makes it easier, so yea it was an example against your theory.
Also your examples fit my experience as well. A hot dog is best with some mustard, relish, maybe grilled onions. The bread has milk, sesame seeds often. The hot dog itself is seasoned with a variety of spices.
Bread (a refined food) will make you sick and fat before it makes you full. Maybe a very whole wheat would work OK in this system.
Fruits are also a highly refined food (genetically engineering/ artificially selected for extremely high sugar.)
Years ago I believe it was Microsoft that found via some method that the higher the rate of required password changes + difficult password rules...the more likely they found larger / more obvious security issues.
It was (is?) common practice to have a visual keyboard to enter the password in extremely sensitive applications like banking. This prevents the password from being captured by keyloggers and from being saved by the browser, because malware automatically extract and collect these, which was a very real issue with banking.
Wow. Even if I didn’t use a password manager, that last point would make this unusable for me. When I do use passwords, I remember them through muscle menory, and having to not type parts of it would throw me off. I would actually change banks over that.
Not necessarily. You could store $10 \choose 5 = 252$ hashes for each user.
We did something similar for call center caller authentication (you don't want the operator to get the whole PIN of the user, so he asked only for e.g. two characters). Not that this would be very useful, security-wise.
> Not necessarily. You could store $10 \choose 5 = 252$ hashes for each user.
Wouldn't this be way easier to crack if the password hashes were leaked? Once you crack one 5-letter hash, you can trivially crack the one that shares 4 characters with it, and do that repeatedly until you have all 10 characters.
You're reducing the effective search space not by a factor of 252 (8 bits of entropy, which would often be acceptable) but to its square root, losing half of the entropy.
Although it seems like security theatre, the PIN solution actually sounds more useful. The typical attack on a system protected by PINs, like bank cards, is not cracking hashes offline - it's that the attacker tries the PINs on the live system and gets locked out after a small number of failures. Assuming the bad actor can't just initiate another call and ask for the other two digits.
Oh, sure, the authentication itself is fairly usable for the given usecase, the hashing is security theater. I advocated not hashing those PINs, but you know, standards, auditors, etc. "Passwords must be hashed", security theater or not.
I like the system where you only enter parts of your password. It means that even with a key logger or hacked site, you’d need several logins to be able to scrape the password
Possibly or they could store N salted hashes, one for one of the N permutations of a mask over the password character positions. This basically splits the end user password into N passwords with smaller entropy but this can be mitigated by requiring high entropy for the original password.
If the "sub" passwords are 2 char long then then they have way too less entropy. For this to that make any sense it must use a sizable subset of the full password (which must be longer than usual to accommodate for that.
And all this to protect for keyloggers. Probably a hardware token second factor is more effective.
There's actually a lot of scientific evidence that hyperpalatable food contributes significantly to obesity and that bland food does lead to an instantaneous drop in appetite.
It's not about any penance, you got it all wrong, this is about our brain going haywire for food high in calories.
> write passwords down in places that are easy to find (like post-it notes next to the screen)
Writing passwords on post-it notes is often used as a ridicule of non-tech-savvy folks behavior. I'd like to pose this question: If you're doing this not at an office, but at home, is this really so bad?
Say you run a web site on AWS and write your really long AWS password on a piece of paper at home. It would take a hacker finding out where you live and breaking into your house to find the piece of paper to access it. On the other hand, your ordinary neighborhood burglars typically care about cash and jewelry in your house, not post-it notes with passwords. It seems those two categories of intruders rarely overlap, unless you're a world famous target.
The threat model is always important. What does your home look like? Who are you protecting from? If your current home is a shared student accommodation, post-its are probably a bad idea. If you live with potentially abusive family members, it may be a bad idea.
But in many cases when you don't live your life online and login everywhere with your Google account federation - sure write it on a post-it. It's not good enough though if you have 20+ accounts and would make you share a password between them.
Your very right. It’s all about threat models. I would rather my grandma (or really anyone that would have a hard time dealing with a password manager) have a password journal then all her passwords be the exact same thing.
>If you're doing this not at an office, but at home, is this really so bad?
Yes. Keylogger and Webcams and untrustworthy roommates/family members/landlords are all low threat but; This encourages people to use the same password for multiple sites/services so as not to get overwhelmed by sticky-notes. So whenever one of those are breached, your email:pass combo becomes public knowledge.
I know a person with many sheets of paper filled by site makes and their passwords. Basically a password manager on paper. It's an excellent protection against password stealing malware but it's very bad if a burglar enters the house and also steal the passwords. It's also a pain to look for a site (the passwords are not on an old fashioned phone numbers agenda) and to type the passwords every time.
I do this, but also have a small prefix I add to the start of each password which I don't write down. The biggest threat is probably someone I know finding the passwords and trying to use them, so the odds of that kind of person actually brute forcing the prefix are pretty low.
I used to write down numerical passwords interspersed number by number with a friends telephone number. Not exactly military grade security but enough to make it non obvious to someone looking through
You could also hash it with a common hash function and use the first X letters of the result string (if the website does not DEMAND "special characters", that is).
This is changing though. More and more people are becoming sufficiently savvy that if they find a password when they break in (and they're criminals to begin with), perhaps they can then try it with many common websites.
Have you got any evidence for it? There's next to no monetary gain from any online account and even breaking into someone's bank online means you need to find a way to transfer money without leaving a trace and without extra transfer validation. Who would trade an extra minute when they can get caught for a random password?
Break ins are rare (I mean, most people will never have one in their lives); and if your threat model assumes have a tech-savvy thief then all your accounts should be considered compromised anyway since it's likely that some of the stolen devices will include some access tokens/cookies that could grant access to some accounts which then can be escalated to e.g. reset passwords to other accounts.
In general the UK government websites are excellent. They have a largely consistent UI, good use of links, and straightforward prose. An example picked at random:
For whatever weird reason, despite having completely incompetent governments since the appearance of the internet, our country has world-class digital services. The gov.uk design system[0] is a very good read, especially for people who aren't experienced in UX design.
Being a Firefox user, I have set dom.event.contextmenu.enabled and dom.event.clipboardevents.enabled set to false, so that I can continue right-clicking and pasting.
If you are on macOS, I have two Services I use to get around these.
Paste as Keyed Characters types in the contents of the clipboard for you [0].
Paste AlphaNumeric Only will only paste in letters and numbers from the clipboard [1]. Very useful when pasting contact phone numbers into forms that only allow numbers.
You do not end up losing those. Both the popup menus - the site's as well as the browser's - are shown, the latter on top of the former. Press Esc to make your browser's vanish, and you still have the site's available.
So much of main line security practice is cargo cultism. There is so little use of actual research and data on how compromises actually happen. Somebody just gets the idea something is good for security and it sticks. No rationale needed.
Related to this, every security team I’ve ever interacted with barely knows how to work a computer and mostly operates off of commercially purchased scanning tools and security agents.
My theory is that security is the least desirable part of the entire software engineering stack - it’s boring, has a lot of blame and liability potential, and it’s a cost center. Heck at least infrastructure folks get to brag about things like cost optimizations.
As a result it seems to me that security attracts the kind of people who view it as a way to wear a digital uniform and badge.
I recently started a CISSP course and discovered this. I was so excited to finally be getting into security and the next thing I know I'm 3 hours into recordings about pointless jargon and control taxonomies. I know there is a place for the latter at least, but it isn't something I want to do everyday.
CISSP will have you learn the required strength of a light bulb to light the alley behind the office. OSCP will introduce you to overflowing a buffer and pwning a remote service...
If you're pasting passwords into fields from a password manager, even if you paste it into the wrong place there is almost no chance of a real compromise. You have unique passwords everywhere, so a perpetrator would have to guess which of your hundreds of websites it is for.
I've experienced this first hand as a developer. Our team was working on revamping an e-commerce platform and we had developed a CRUD API for the shopping cart. Everything was going smoothly until a manager decided to take issue with our use of HTTP DELETE for removing items from the cart. The person in question wasn't technical but pointed to a document which expressly prohibited the use of the DELETE verb across all applications developed by the company citing an unspecified security risk. Wasn't around long enough to dig deeper into that, but probably wouldn't have gotten far given how partial the company was to superstition.
I have noticed many implementations appear to be able to capture the password and have it auto-filled, or maybe my password managers are somehow able to handle them. I’m not against it when it works like that, as there are sometimes valid reasons for the design.
Benefit: works across all browsers, even daffy embedded (electron) ones where it's inconvenient to install extensions.
[0] every browser extension you install that has a broad permissions manifest is a liability; when they get popular, the authors start receiving offers of money from sketchy people in exchange for adding 'extra' bits of JS
Seems a plausible concern that malware on the PC can access the clipboard, so they discourage copying their password into clipboard. But intercepting keystrokes to another program (at least in Windows) doesn't require any special permissions either.
Would the concern more be background web tabs (cross-site) accessing the global clipboard? Vaguely recall that was possible a long time ago but likely locked down now.
If there is malware on the pc then the browser itself must be assumed compromised. It's futile to half plug one small hole while a million others exist.
And by attempting to plug that hole you've added an inconvenience that may encourage users to use a less secure password.
One of the most useful changes to usability is displaying your password...when using mobile is a great advantage. Pasting can be useful in the mobile case as well. As sometimes typing in cellphones is not the easiest thing to do
My simple response. Stop using websites and apps that prevent pasting because it implies that the website or app has no idea how to secure their website or app properly.
The web is unfortunately too ubiquitous for this approach. If I get hired by someone, I have to use the website they chose for pay stubs, or health insurance descriptions, or direct deposit configuration, or stock option distribution, or many other life-essential services that an individual has absolutely no control of. Sure I can complain to HR, but it will fall on deaf ears that were sold by a shitty SaaS pitch that made some loser’s life mildly easier in return for a subscription payment.
And that’s not even touching all of the government websites that behave in this way.
My password manager has 429 entries right now. Maybe memorising is possible for some people who don't live and work on the internet every day. But I suspect most people in tech are in a similar position - unless you're into professional level scrabble, 429 random strings is too many.
How on earth could I remember random complex passwords I use once a year?
I can memorise af58f916cc0cb22193c18f02d3c1cc3e easily, but once you work out (perhaps a keylogger) why that's my paypal password, my google password of 68b31385067f73977c6007cefcddbe74 falls quickly
The quoted passwords are md5 sums of paypalformyusername and googleformyusername
Easy to remember, and you'd have to be very determined to get the link between them even if both were compromised, but if the plain text version was compromised then it would compromise the entire system
That's the most secure system I can think of which doesn't involve remembering thousands of complex random passwords. Sure I can remember "correcthorsebatterystaple", but can I remember which 4 words for which specific site?
I have c.600 passwords in one manager. That's not even all of them - some I'm required not to write down, some I keep offline, some I choose to keep as memorable phrases. All those directly connected to ability to spend any money I keep offline (memory or paper).
I'll admit I'm probably an exceptional case but regular users must have 100 or more password after a couple of years online.
I've resorted to autohotkey keyboard shortcuts to simulate typing in credentials at times.
When I had to log into this one vpn for work I even used to have it open the 2fa app, click the button to copy the code, open the vpn app, enter all the fields, and log in all from one keyboard shortcut.
I've long thought you should be able to use a hot key + insecure password to generate a strong time limited password. Insecure password could be just the website domain name for all it matters.
I’m a happily paying user of 1Password personally, although I’ve used bitwarden in the past and it’s great and self hostable too. I just prefer 1pass for its fast updates and great integration with the Apple ecosystem. If you wanna host your data with gdrive or the like keepass is less polished but also very solid.
Highly unlikely, I think. The letters are too crisp. And the way the text follows the corners, while cleverly done, don’t reflect the way real graffiti would be done.
They even scramble the keypad and vary the last 2 bits of the colour, so you need to do an approximate match on the buttons. Still takes maybe 40 lines of python to automate the login.
Yes. Mostly they disable cmd-v/ctrl-v, but pasting via the context menu or the ‘Edit’ menu works.
In theory it's possible that they're trying to do some other thing by handling keyboard input on password fields, and that interferes with hotkeys—but I can't imagine what that other thing would be.
It's not the flavour that makes you fat.
Nonetheless, there's this perception that something delicious can't be good for a diet. People have this notion that to lose weight, there must be penance. An element of punishing oneself for past transgressions seems essential.
Security people have the same mindset. Security must be a hassle. It must be in your face. It has to be onerous. A challenge. A hurdle to get past.
I've tried, over and over, to explain to my customers that often the slickest, most hassle-free approach is the most secure. But this almost never sells.
Meanwhile, I see vendor after vendor successfully selling products that exist only to irritate users.